Shorewall users - Jul 2012 - How to drop (or blacklist) an IP immediately

Hi, I have type a "shorewall (4.5.4) drop x.x.x.x", an malware IP that
constantly tried to access my DNS, but the IP was not blocked
immediately.
> -A dynamic -s x.x.x.x/32 -j DROP
>  ....
> -A INPUT -i eth1 -j net2fw 
> -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic 
> -A net2fw -p tcp -j tcpflags 
> -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
> -A net2fw -p udp -m udp --dport 1194 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p tcp -m tcp --dport 22 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p tcp -m multiport --dports 80,443 -j ACCEPT 
> -A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p tcp -m tcp --dport 53 -j ACCEPT 
> -A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p udp -m udp --dport 53 -j ACCEPT 
This probably happens because the connection is always active:
> # shorewall show connections |grep x.x.x.x
> ipv4     2 udp      17 178 src=x.x.x.x dst=y.y.y.y sport=80 dport=53
src=y.y.y.y dst=x.x.x.x sport=53 dport=80 [ASSURED] mark=0 secmark=0 use=2
> 
and the rule "dynamic" is applies only to new connections
"conntrack
--ctstate INVALID,NEW"

In addition, the rule:

"-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"

makes the connection to be accepted without meeting the rule would not
allow access to DNS:

"-A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p udp -m udp --dport 53 -j
ACCEPT"

What am I doing wrong?

It''s possible, after a shorewall drop IP, delete the alive connection
for the dropped IP?

Many thanks for reply

-- 
Dario Lesca - sip:dario@solinos.it
(Inviato dal mio Fedora Linux)


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/19/2012 04:56 AM, Dario Lesca wrote:
> 
> What am I doing wrong?
> 
> It''s possible, after a shorewall drop IP, delete the alive
connection
> for the dropped IP?
You can set BLACKLISTNEWONLY=No in shorewall.conf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Il giorno gio, 19/07/2012 alle 07.02 -0700, Tom Eastep ha
scritto:
> You can set BLACKLISTNEWONLY=No in shorewall.conf.
> 
> -Tom
Thanks Tom!
(especially thanks for your excellent work and availability)
>  
-- 
Dario Lesca - sip:dario@solinos.it
(Inviato dal mio Fedora Linux)


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/